Presentation is loading. Please wait.

Presentation is loading. Please wait.

LESSONS LEARNED ON THE WAY TO PCI COMPLIANCE The University of Western Ontario & McMaster Universitys Experiences June 7th, 2011.

Similar presentations


Presentation on theme: "LESSONS LEARNED ON THE WAY TO PCI COMPLIANCE The University of Western Ontario & McMaster Universitys Experiences June 7th, 2011."— Presentation transcript:

1 LESSONS LEARNED ON THE WAY TO PCI COMPLIANCE The University of Western Ontario & McMaster Universitys Experiences June 7th, 2011

2 Agenda Introductions What is PCI and Why is it Important? Lessons Learned What Lies Ahead?

3 Introductions Sharon Farnell, Director, Internal Audit – The University of Western Ontario Stacey Farkas – Supervisor, Financial Reporting – McMaster University Tim Russell – Project Manager, University Technology Services – McMaster University

4 Introductions Western $27million in credit card sales $31million in credit card sales 60 merchants McMaster $24million in credit card sales $25million in credit card sales - $ 16 million in INTERAC ONLINE transactions 58 merchants

5 What is PCI? PCI-DSS: Payment Card Industry – Data Security Standards Standards developed by the credit card companies (Visa, M/C) to protect cardholders PCI Data security requirements apply to all members, merchants, and service providers that store, process or transmit cardholder data EVERY merchant is required to be in compliance with these standards

6 What is PCI? There are 12 requirements, grouped into six categories for PCI Compliance: Build and Maintain a Secure Network (req. 1 & 2) Protect Cardholder Data (req. 3 & 4) Maintain a Vulnerability Program (req. 5 & 6) Implement Strong Access Control Measures (req. 7,8 & 9) Regularly Monitor and Test Networks (req. 10 & 11) Maintain a Policy that addresses Information Security (req. 12)

7 Merchant Levels Merchant Level12 Processing Volumes per year > 6,000,000 Visa transactions 1,000,000 to 6,000,000 Visa transactions Validation ActionsAnnual on-site PCI-DSS Assessment Quarterly Network Scan Annual PCI-DSS Self Assessment Questionnaire (SAQ) Quarterly Network Scan Validation ByQualified Security Assessor or Internal Audit if signed by Officer of the company Approved Scanning Vendor Merchant Approved Scanning Vendor

8 Merchant Level34 Processing Volumes per year 20,000 to 1,000,000 Visa e- commerce transactions 20,000 Visa e-commerce transactions and all other merchants, up to 1,000,000 transactions Validation ActionsAnnual PCI-DSS Self Assessment Questionnaire (SAQ) Quarterly Network Scan Annual PCI-DSS Self Assessment Questionnaire (SAQ) Quarterly Network Scan Validation ByMerchant Approved Scanning Vendor Merchant Approved Scanning Vendor Merchant Levels

9 Merchant Types PCI Security Council Separated out Merchant Types and introduced a SAQ for each type in 2008

10 Why is PCI Compliance Important? FINANCIAL RISK – fines from payment processor and/or credit card companies – costs to notify cardholders – repayment of fraudulent charges incurred by end consumer – audit costs by PCI assessor LOSE THE ABILITY TO PROCESS CREDIT CARDS – CAMPUS WIDE REPUTATIONAL RISK! OPPORTUNITY TO ENHANCE SECURITY/IT BEST PRACTICES

11 Our PCI Approaches Western Central approach to Self Assessment Questionnaires (SAQs). McMaster Centralized management with Individual merchant responsibilities

12 Lessons Learned 1: Collaboration of stakeholders is key 2: Identify your PCI Scope and environment 3: Minimize Local Payment Processing 4: Centralized Merchant Approval Process 5: Audit Considerations 6: Dont underestimate your time 7: Breach Escalation process 8: Centralized approach to PCI DSS Self Assessment Questionnaires 9: Include PCI compliance in the RFP and Purchasing Process 10: Funding: Who Pays for this? 11: Its a learning Journey 12: Risk Management Strategies

13 Lesson 1 : Collaboration of Stakeholders is Key Western: Central Bank Card Committee Financial Services, Internal Audit, IT, Campus Department Representatives Chaired by AVP, Financial Services McMaster: PCI Steering Committee Financial Services, IT, Key Departments, Internal Audit Chaired jointly by AVP Administration and CIO

14 Lesson 2 : Identify your PCI Scope and Environment Western Pre-RFP Review – Evaluate Environment IT Code Review Interviewed all campus departments McMaster Had a PCI GAP analysis completed in 2008 Helped us to focus on high risk areas within the 12 requirements – action plan via PCI Steering Committee

15 Lesson 3 : Minimize Local Payment Processing Western Campus merchants are required to use Westerns internal Payment Page Currently migrating to an external Pay Page solution McMaster Steer merchants to Hosted Pay Page solutions Place compliance on the software vendors Moving from Type D to A merchants – less risk

16 Lesson 4 : Centralized Merchant Approval Process Western New e-commerce merchants must be approved by Bank Card Committee PCI Compliance is a requirement McMaster Upfront Approval Process – new merchants must meet PCI DSS requirement before a merchant number is issued Merchants can be suspended if not in compliance

17 Lesson 5 : Audit Considerations Western Limited Scope – Lower Costs Important for Auditor to apply PCI to a University setting Consistency of Auditor key Demonstration of Compliance McMaster Pre-audit in 2008 – helped to limit scope Focus on individual (Type D) merchants

18 Lesson 6 : Dont Underestimate Your Time Western Six months became 2+ years IT Resources – Significant Impact – Documentation Have people to help keep on track McMaster Committee commenced work in 2006, still on- going Education and clarification of requirements took a long time

19 Lesson 7 : Breach Escalation Process Western Requirement of PCI-DSS Took time to get it right McMaster Developing protocols for front-line workers and internal response Escalating communication plan dependent on nature of the breach

20 Western Breach Protocol Perceived Breach Types of Breaches 1.Receipts compromised 2.POS compromised 3.Electronic Client data compromised 4.Missing items 5.Technical breach 6.Unauthorized wireless device USER UWO Police x911 UWO Finance x85432 UWO Legal x84217 UWO NSO IT SECURITY POLICE ENGAGE CRIMINAL INVESTIGATION AND INFORM NSO IDENTIFY: INFORM AND CONTAIN, USER ASCERTAINS RISK AND NOTIFIES ACCORDINGLY TRANSACTIONAL ITEMS ON STOP OR ALERT Moneris: AFTER RISK ASSESSMENTS AND VENDOR NOTIFICATION, LEGAL IS INFORMED BY IPO IF NECESSARY UWO Communications NSO/CISO ASSESSES DATA RISK AND CONTAINS, NOTIFIES IPO AND FINANCE MISSING FILES, MACHINE, DATA Type 4 DEVICE THEFT OR DEVICE TAMPERING Types 1, 2, 3, 5 Legend IPO – Information Privacy Office UWO IT – Western Information Technology NSO – Network Security Officer (CISO) CISO – Campus Information Security Officer Moneris – corporate payment processor FINANCE ASSESSES FINANCIAL RISK AND NOTIFIES NSO ON DATA AND VENDORS FOR TRANSACTIONAL ITEMS UWO IPO x84541 TRANSACTIONAL ITEMS ON STOP OR ALERT Moneris: IPO INTERFACES WITH NSO, LEGAL AND COMM IF PRIVACY AT RISK ACT FAST! CONTAIN THE DAMAGE PRESERVE EVIDENCE DO NOT ACCESS COMPROMISED SYSTEM ITS as initiator

21 Lesson 8 : Centralized Approach to Self Assessment Questionnaires Western Created own internal SAQ to be filled out by departments Fill out SAQ for the university as a whole centrally McMaster Each merchant is responsible for filling out PCI SAQ SAQ questionnaires now automated through on-line submission 3 rd party company for both SAQ submission and Quarterly scanning

22 Lesson 9 : Include PCI Compliance in the RFP & Purchasing process Western Push your knowledge to external partners / vendors McMaster Smaller companies werent always aware of PCI compliance. Integrated into Policy and Purchasing documents

23 Lesson 10 : Funding – Who Pays for This? Western Funded centrally McMaster Yearly internal Merchant PCI Levy Base charge plus volume based charge with caps Essentially covers the cost of 1 FTE in IT and 0.5 in Financial Services Now covers cost of 3 rd party assessor

24 Lesson 11 : It is a Learning Journey Western PCI Changes – Helps to have experts McMaster On-going changes: the risks change therefore the compliance also changes Adapt to new business processes Learning journey for software vendors as well

25 Lesson 12 : Risk Management Strategies Both Universities: Governance and oversight Third-party assessors and PCI advisors Pro-active compliance by doing more than required Migration to Hosted Payment Page Required annual merchant training

26 What Lies Ahead? Western: Keep ahead of PCI – change approaches as you go McMaster: Monthly, quarterly and annual activities, based on merchant type. PCI Security Council Three year cycle for standard revisions Now possible for internal auditors to be certified to conduct PCI audits

27 References PCI Security Council: https://www.pcisecuritystandards.org/index.shtml University of Western Ontario: McMaster University:

28 Thank you!/ Merci! Contact Information: Sharon Farnell Stacey Farkas Tim Russell


Download ppt "LESSONS LEARNED ON THE WAY TO PCI COMPLIANCE The University of Western Ontario & McMaster Universitys Experiences June 7th, 2011."

Similar presentations


Ads by Google